Back to Basics: AI Isn't the Answer to What Ails Us in Cyber

The irony behind just about every headline-grabbing data breach we've seen in recent years is that they all could have been prevented with simple cyber hygiene.

Earlier this month, many of the planet's most influential leaders met at the World Economic Forum in Davos to address some of the most pressing issues of our time, including artificial intelligence (AI). AI was touted as the answer to everything from bespoke cancer therapies to more-efficient cheese making. Some people in cyber are turning to AI as well, arguing that machines will be able to more quickly adapt to and manage threats, and eventually even be able to predict (and therefore prevent) attacks.

AI has a great PR machine behind it and may hold good long-term potential. But it's not the answer to what ails us in cyber. In fact, I'd put AI in the same camp as advanced persistent threats (APTs) — sophisticated cyberattacks usually orchestrated by state-sponsored hackers and often undetected for long periods of time (think Stuxnet). Both are really intriguing, but in their own ways they're existential distractions from the necessary work at hand.

At the crux of just about every high-profile breach and compromise, from Yahoo to Equifax, sits a lack of foundational cyber hygiene. Those breaches weren't about failing to use some super-expensive, bleeding-edge, difficult-to-deploy and unproven mouse trap. In cyber, what differentiates the leaders from the laggards isn't spending millions and millions of dollars on sexy bells-and-whistles interfaces. It's about organizations setting a culture in which security matters. That means they prioritize cyber hygiene. They understand that cyber risk equals business risk in our digital age.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Consider the Equifax breach. When the company was called to testify before Congress about the catastrophic breach that affected 145 million Americans, they displayed a dazzling disregard of cyber-risk. Their willingness to blame the breach on a single engineer's slow response to a known vulnerability highlighted a lack of procedural discipline and rigor, to say nothing of the organization's immaturity in cybersecurity basics. AI cannot address or solve for this cultural misalignment.

Cyber Hygiene 101Let me be clear — perfect cybersecurity is not possible, no matter what anyone may say. If someone is determined at all costs to get through your defenses, the odds are good that they'll find a way in. But the irony behind just about all the headline-grabbing data breaches we've seen in recent years is that they could have been prevented with basic cyber hygiene. Why? Because even when state actors are behind an attack, they most often take advantage of lackadaisical security practices and use known vulnerabilities and exploits to get in. It's cheaper. It's easier. You don't have to burn a zero-day. Attribution is much harder, and there is a slew of other good reasons, which brings us back to the fact that basic cyber hygiene is the cheapest, easiest, and most effective way to improve your security posture.

What's even better news? Very good cybersecurity is within reach for most organizations. It begins with the fundamentals, and if you follow some of these best practices, you can prevent the vast supermajority of breaches and exploits.

Best Practice 1: Know your systems really, really well. This may seem obvious but it's astonishing how many organizations do not know precisely what technology they're using. This presents a twofold problem. First, you can't protect what you can't see. Second, technology is not risk free. For every digital investment — IT, cloud, mobile, apps, the Internet of Things, and DevOps — there is an accompanying risk. Most organizations fundamentally don't understand the extent of the systems they're using, how those systems can be exploited, or what they need to do to prevent that from happening.

Best Practice 2: Use state-of-the-art authentication and access management. If you're using passwords today, you simply fail to understand the reality of our threat environment. You need to embrace multifactor authentication. Think of TouchID or FaceID or something similar. Getting rid of passwords and the associated user failures moves the needle, and can improve user frustration. Along with that, manage account privileges based on what access is needed by whom.

Best Practice 3: Invest in better monitoring and more efficient response. The average number of days between the time a breach occurs and when it is detected consistently clocks in at over six months. Organizations can take advantage of the technologies that shrink this time by providing greater visibility into computing platforms — cloud, hybrid, or on-premises — to ensure that security teams have a complete view of their entire attack surface.

Here's a challenge that we should all embrace — let's make 2018 the year we all get serious about cybersecurity fundamentals. Let's get the basics right. Let's not throw our arms up in despair or search endlessly for the latest cure-all until we're adequately addressing the basics. Investing in AI is no substitute for sound fundamentals.

Amit Yoran is chairman and CEO of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with ... View Full Bio

As for AI (Artificial Intelligence), it's an unfortunate choice for a label, for something that is actually a dynamic artifact of collective human intelligence. You're right about the effective PR.

You can add a couple of more items to your best practices list:

Limit data access, and type of access, on a needs basis. If a knowledge worker doesn't require access of a particular kind, and from a particular source, in order to do their job, they shouldn't have it.

Know what data you have. Very hard to tell if something is missing or has been altered, if you don't know what you have, and where it is.

Limit the proliferation of data. Yes, you need a well thought out plan to recover compromised data; but more backup copies doesn't equate to more security - just the opposite. Also, limit the data used for analysis, using the same needs-based criteria mentioned above. Part of that is not running analysis directly on line-of-business/transactional data.

Each of these goals is easier to implement if your organization uses the proper modeling methodologies.

The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.

An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...

Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.